Five ways to stay safe with social networks

Social networks are all-pervasive, but aren't always safe. Candid Wueest, a Senior Security Researcher at Symantec, has some top tips for keeping yourself safe online.

Businesses are certainly becoming well versed in the advantages of integrating social networking into the workplace - especially as younger digital natives are starting employment.

However, web-based attacks are now the primary vector for malicious activity over the internet, and many of these are increasingly coming from social networks such as Facebook, Twitter, and YouTube.

By hiding behind the reputation and brand trust built by legitimate social networks, spammers are able to distribute an increasing number of malicious and phishing emails, something that recent research shows is only set to grow over time.

With employees increasingly accessing social networking sites on their business PCs and laptops, any attack via social networking platforms can place company data directly at risk.

Here are some of the simple acts that businesses can share with their employees to ensure they are protected from common social network attacks:

1. Don’t click on unknown links.

Sharing links via Facebook or Twitter is a common act, but avoid clicking on blind links where the destination website cannot be seen in the URL (as is increasingly common with URL-shortening applications such as bit.ly). These links can open you up to malicious attacks and place sensitive company data in a vulnerable position

2. Don’t share personal information.

Avoid including personally identifiable information when communicating online, such as date of birth, postal address, and certainly not bank details. Savvy online criminals can piece together information from different sites in order to steal individual identities and run up massive bills on company credit cards, or even create a fake passport in an employee’s name.

3. Set strong passwords.

Simple acts, such as developing strong passwords that are changed at least every 45-60 days, can dramatically improve IT security with minimal intrusion on time. Encourage employees not to save passwords on default settings when using the internet, as anyone who misplaces their laptop can make it very easy for the unscrupulous to access sensitive data.

4. Beware fake friends.

A common phishing attack that users are seeing occurs when criminals hijack social networking accounts and distribute messages to all the contacts in that individual’s contact book. Clicking on a message from a ‘fake friend’ such as this can lead to an external site that allows malicious code to enter your computer system. If you receive a message that seems out of character, always confirm who the sender is before opening.

5. Invest in security software.

Don’t cut corners when it comes to anti-virus software. You might think you’re being economical in the short term by simply downloading some free software online but once a malicious piece of software manages to enter your computer, it can cost a fortune to fix, and that £60 can start to feel like a bargain.

BCS, the Chartered Institute for IT, has recently launched a campaign to raise awareness of the importance of safe and secure internet usage. Are you a savvy citizen? Find out at http://savvycitizens.bcs.org.

Report Comment

Reason for reportFurther comments

3

Prosper Onogberie wrote on 14th Jan 2010

On the fake friend case number 4.

There were series of mails going round on facebook lately from genuine friends which obviously were not from the said sender, and contained links to an inactive site.
Even friends of mine got a message from me which was obviously fake.

These things are getting more sophisticated than just some random profile sending malicious links.

Report Comment

Report Comment

Reason for reportFurther comments

5

Kris Peckham wrote on 14th Jan 2010

I feel that as an IT society we are very passive. The plethora of viruses, trogons and other mischievous elements that are prevalent within both the business and private environment are costing us vast amounts of time and money to resolve.

I this that it is about time the industry takes a more active role in tracing the source of these attacks and eliminate it at source.

Report Comment

Report Comment

Reason for reportFurther comments

7

PaulB wrote on 14th Jan 2010

I participated in a charity bike ride last year and the associated website had a "link up with FaceBook" feature. When you used this, it allowed their application to write "begging notes" to your feed without you even knowing. After the first one of these, I blocked its access in the privacy settings, but many of my friends didn't realize this. For many of them the app kept sending notes well after the event was completed, and even after they had surpassed their fund raising goals!

It wasn't even a smart app as it said things like "X has raised $200 of their $150 target. Can you help?"... well, of course... send me a cheque!

Whenever you use a "link with facebook" feature, check the applications settings!

Report Comment

Reason for reportFurther comments

8

David Owen wrote on 14th Jan 2010

Item 3 has a great title (Set Strong Passwords) and then goes on to negate it by recommending that the password be changed regularly. There was a great article in Usenix's ;login a few years ago that demonstrated that changing a password regularly does not make it strong (http://www.usenix.org/publications/login/2006-12/pdfs/howard.pdf). There *are* good reasons for changing a password regularly (ie in a system admin group where the password is shared and personnel who know it know it move to new roles or companies). If it is your own private account, follow the advice in the article and choose one from a large alphabet!

Report Comment

Reason for reportFurther comments

9

Peter Fisk wrote on 15th Jan 2010

In response to Colin Campbell's question, in a recent PCPro review, Avast gave better malware discovery results than some of the paid-for software. Bear in mind that it is not a complete suite, though, and that the Linux version lags behind the Windows version.

Report Comment

Report Comment

Reason for reportFurther comments

12

David Harley wrote on 17th Jan 2010

Free versions of commercial AV are "loss leaders": their intended audience is people who wouldn't pay for AV. Since AV companies generally have to pay money -somewhere- along the line, free versions are not usually intended for use by businesses, and have limited functionality and support compared to for-fee versions.

Report Comment

Reason for reportFurther comments

13

Stephen Clothier wrote on 6th Feb 2010

I agree with the comment that we are all too passive about security. Our govenrments are reacting to security in the physical terrorist sphere agressively even though mostly the risk is quite low compared to cyberattack. (even if the impact is frighteningly spectacular as delivered by the media). Perhaps governments will have to be more aggressive also in the cyberworld - after all it is a main organ for all types of terrorists. What if we all had a kind of "registered" driving license to pass through any router on the internet. It would not eliminate all types of fraud but would make it much harder to "hit and run":

Report Comment

Report Comment

Reason for reportFurther comments

15

Steve wrote on 16th Mar 2010

Interesting that the email that led me to this article and the fourth paragraph breach recommendation 1. I could have right-clicked on the links but I didn't.
Recommendation 3 encourages people to write down passwords.

Report Comment

Reason for reportFurther comments

17

Chris wrote on 20th Mar 2010

There are browser add-ons and extensions available to handle link obscurity. Check out the free 'Long URL Please' (longurlplease.com) Firefox extension, which expands shortened URLs on-the-fly and replaces them on the page with the full target URL.